Depending on what the SCADA system controls I would be VERY careful. I would never try to pentest a water treatment plant without having it fully staffed and everyone informed that the electronics may go haywire and having away to quickly reset everything to normal. I have run too many nmap scans that caused old and poorly designed equipment/software to freak out and send out bad data or worse stop responding i.e. showing a water tank full when it has been emptying for an hour. SCADA systems are way too fragile to play with. Your best defense is to put the SCADA system on its own private and physical network. What I mean is a network that is not in anyway shape or form plugged into equipment that has any non SCADA equipment on it. And make sure it is NOT internet accessible. If it is an absolute requirement that the SCADA system be remotely controlled, use a VPN, two factor authentication, and at least 2 hardware firewalls to get to the SCADA network. I have never seen a SCADA system that could function properly with a software firewall installed on it.